Clay Foody
asked on
Required to have separate router and firewall devices - Recommendation?
Hello everyone. In order to meet a certain requirement, several of my sites must have a "separate router and firewall." The modem provided by the ISP does not meet the router requirement simply because it's owned by the ISP. We have already invested in FortiGate 60D routers, and we have VPN enabled on them, so a double-natted connection is not really an option. What's worse is that there are Intrusion Protection, and logging requirements, which we have solved using the FortiGate licensing, so it needs to be acting as the firewall.
I'm sure I could just get a router, configure a static route it in and put it in front of the FortiGate, but I don't see the point of it. Traffic would just pass straight through the router - it wouldn't be "routing" traffic, that's what the NAT firewall does.
Perhaps I'm missing something; has anybody had to meet this requirement before? Is it possible to have a separate NAT router with no firewall functions that then leads to a firewall and have it actually work? I would think this would stifle security due to the amount of control you would lose when it comes to the NAT itself.
I'm sure I could just get a router, configure a static route it in and put it in front of the FortiGate, but I don't see the point of it. Traffic would just pass straight through the router - it wouldn't be "routing" traffic, that's what the NAT firewall does.
Perhaps I'm missing something; has anybody had to meet this requirement before? Is it possible to have a separate NAT router with no firewall functions that then leads to a firewall and have it actually work? I would think this would stifle security due to the amount of control you would lose when it comes to the NAT itself.
Similarly, I've seen problems when the firewall is the edge device, and then they have a need to add a backup Internet connection. Most firewalls are great as security devices, but suck at figuring out the optimal route, or detecting outages.
ASKER
This is a very small business - we're talking about 5 employees, so there's no need for subnetting or failover internet.
This separate router and firewall hardware requirement is due to an upcoming federal regulation that applies to the type of business they're doing.
Has anyone successfully separated a NAT router from a security firewall without running into routing issues and dropped connections? Again, the FortiGate is the device they've spent money on with licensing add-ons including the VPN and two-factor RSA keychains, etc.
This separate router and firewall hardware requirement is due to an upcoming federal regulation that applies to the type of business they're doing.
Has anyone successfully separated a NAT router from a security firewall without running into routing issues and dropped connections? Again, the FortiGate is the device they've spent money on with licensing add-ons including the VPN and two-factor RSA keychains, etc.
Many times; that shouldn't be a problem.
I suggest a decent quality router, like a Cisco 2911. Just create a 1-to-1 NAT rule for the FortiGate, and some basic security settings on the router (preventing SSH and the like) and it should run just fine.
But a basic NAT device will do pretty much the same thing, if they can't afford the Cisco 2911.
I suggest a decent quality router, like a Cisco 2911. Just create a 1-to-1 NAT rule for the FortiGate, and some basic security settings on the router (preventing SSH and the like) and it should run just fine.
But a basic NAT device will do pretty much the same thing, if they can't afford the Cisco 2911.
ASKER
I'm not sure I understand. Would I be creating a rule for the entire range of IP addresses on the internet to be directed to the Fortigate's WAN IP?
Currently your Fortigate has an Internet accessible address.
If you place it behind a router, it will have a private IP address.
The NAT rule is to create a public IP address that is translated to the private IP address on the Fortigate.
If you place it behind a router, it will have a private IP address.
The NAT rule is to create a public IP address that is translated to the private IP address on the Fortigate.
ASKER
But how does web traffic find its way back the originating computer that requested the webpage if the NAT takes place before the Fortigate?
Same way it does now, except it will be double NAT'd instead of NAT'd only one time.
Each security device will have it's own NAT table, and the traffic translation will be handled appropriately at each hop.
Each security device will have it's own NAT table, and the traffic translation will be handled appropriately at each hop.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There is a second option. Many of these regulations are actually requirements for separate Logical devices, and not physical devices. Without the specifics for your regulatory and compliance requirements, I cant tell you if this answer would be sufficient, but it is for many PCI and HIPPA organizations That I ahve worked with:
FortiGate firewalls have a feature called Virtual Domains, which can be used to split the firewall into 2 separate logical devices. FortiGate 60Ds have a default license for 10 Virtual Domains being available. The regulation's requirement is quite often imposed so that 2 different individuals control network security (security Team) and network routing(Network Team) If you are just doing basic static routing to the internet, you could theoretically just do your NAT control on a virtual domain connected to your ISP router, and do all of your firewall policies on the internal virtual domain, thereby saving you from introducing essentially a second peice of single-point-of-failure. The connection between the 2 VDOMs (virtual domains) is then either a network cable run between two interfaces connecting the two vdoms, or you can use a feature called Inter-vdom links.
the fortinet virtual domain adminsitration guide has a lot more detail in much specific quantities than i can provide in a single post.
http://docs.fortinet.com/uploaded/files/1078/fortigate-vdoms-50.pdf
FortiGate firewalls have a feature called Virtual Domains, which can be used to split the firewall into 2 separate logical devices. FortiGate 60Ds have a default license for 10 Virtual Domains being available. The regulation's requirement is quite often imposed so that 2 different individuals control network security (security Team) and network routing(Network Team) If you are just doing basic static routing to the internet, you could theoretically just do your NAT control on a virtual domain connected to your ISP router, and do all of your firewall policies on the internal virtual domain, thereby saving you from introducing essentially a second peice of single-point-of-failure. The connection between the 2 VDOMs (virtual domains) is then either a network cable run between two interfaces connecting the two vdoms, or you can use a feature called Inter-vdom links.
the fortinet virtual domain adminsitration guide has a lot more detail in much specific quantities than i can provide in a single post.
http://docs.fortinet.com/uploaded/files/1078/fortigate-vdoms-50.pdf
Such a small envrionment does not necesitate virtual domains. This is only used for mutliple organizations with different management plains. Think of the VDOMs as separate logical firewalls. PCI nor HIPPA would require this frankly...lets not overcomplicate this. We only deploy VDOMs for large multi-tenant type environments.
ASKER
This is what we wound up doing and it's working.
I've seen problems fairly frequently by folks using the firewall as the default gateway for their internal network. Then they add a new subnet and suddenly connections start to fail.